Re: [Emu] EAP and authorization
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Emu] EAP and authorization
On Aug 14, 2009, Alan DeKok <aland at deployingradius.com> wrote:
...
> I can propose EAP-IP: carrying IP packets in EAP. It's crazy, but
> possible.
In many ways that's what PANA is about, but that's not what spurred me to respond.....
> The main limitation on bulk data transfer is that most EAP to
> RADIUS gateways (AP's, etc.) will terminate an EAP session after ~50
> packets.
This kind of thing drives me crazy. Why are their such policies?
I develop/maintain a user interactive time-based EAP authentication that, unfortunately,
has to jump through all sorts of real-time hoops for Access Points and 802.1x clients
that have these ad-hoc rules about what constitutes a "valid" EAP session time and packet wise.
It's one thing when many EAP methods deal with cached non-interactive credentials.
They can wham, bam, thank you ma'am in less than 10 seconds.
It's another when a user and an authentication device is in the loop.
My user may wait for a new OTP value to come around, fumble finger it in, and possibly have
to do it twice if he got it wrong or is out of the sync window.
It can take several minutes.
Please do not build EAP session breaking assumptions into AAA implementations.
Sorry for the rant, but I still need to write up my EAP implementation experiences
from doing my SecurID Vista client. The pain still hasn't completely subsided completely yet.
Dave.
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
